MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba9fbfd1eecd1879588201af8b4498bcef57e8950286170dbb0c7c5b7ded6a17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba9fbfd1eecd1879588201af8b4498bcef57e8950286170dbb0c7c5b7ded6a17
SHA3-384 hash: 14399082760beccfdaf5278e9d05b1f97794cd898c30b44ac4b044ebdc16d9619b8979e9aeed09fd3d59a0c6fbf4535f
SHA1 hash: 36cd6ce22e5d7fc8ddd142584637238100ab96b1
MD5 hash: 81776e210ce744574f3d7995018dce4f
humanhash: arkansas-november-hawaii-louisiana
File name:QUOTATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:305'664 bytes
First seen:2020-06-16 06:23:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:d5L5aKZzlK4sITGV7r/SnWuYyeYrNeuacBcGe8oo72OlJUDnQf:d5Lvu4vG1zSXYyeYrNIglj7tJT
Threatray 5'245 similar samples on MalwareBazaar
TLSH B954025DAB9CE326CA3D4A7CC4E0251403FEA15B3113D72A5FC0366EAD277E65A01E63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: yuntong-batt.co
Sending IP: 111.90.141.203
From: Root User <root@localhost>
Subject: RE:RE: REVISED QUOTATION
Attachment: QUOTATION.rar (contains "QUOTATION.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10639/
Detection(s):
SecuriteInfo.com.Artemis81776E210CE7.27971.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 06:25:06 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkp37upozumhswecagxywreyxtxvp2evakdbodn3br6fw7pnnilq._file
Verdict:
malicious
Similar samples:
091fa5c2da8704e463202cad1bdd4f766ca66c28b3f60348c03288c4d4c3ce32
Formbook
18f5f4aa9b67c87202ed2456159ff033577a00bd227dc7b713de074f262d9897
Formbook
19833770b128f098f86b4d9daaedef96f8de222745a7e431999545c9c03bfb29
Formbook
310ce684bde85380d1c908579135f3ea6ff6f69c8475fad63a232020beaebd65
Formbook
51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6
Formbook
64ff498497ee75879455fa623913eed07fae30f5e357bb247bedcf76e7d4e04f
Formbook
915317c4721161535e8ab7d081baa128d6678c50ff2135571965cf40b7167fb5
Formbook
9ba436351aa2ed6aa1c478d716b2b5e2dd6b6141c14aa8ded5089ed6951b9426
Formbook
a4906242ed8ef857d5fe0dd5b8e3f1f90baa1bdf6f1030ba09af4a2b8892e08b
Formbook
f310aa4f6cb0b3c3d237d13640594dd0a06f8c42ab5ecd1cba3daecc860129bf
Formbook
+ 5'235 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-5w5sd367xe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/20w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 0655d7f261d5a3670395551210bcfaa2ad1f985053df3790d5d2895e84d96f19

Formbook

Executable exe ba9fbfd1eecd1879588201af8b4498bcef57e8950286170dbb0c7c5b7ded6a17

(this sample)

  
Dropped by
MD5 a9d05587219e4e6aa9ee0b03cc02ca32
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0655d7f261d5a3670395551210bcfaa2ad1f985053df3790d5d2895e84d96f19
Cape
Cape
https://www.capesandbox.com/analysis/10639/

Comments